IACCM Contract Management Forum

« view all forum posts
2017-10-06 10:45:50

Ideas or suggestion required with regards to GDPR

I am part of Contract Management team and we are in the process of Master Agreement renewal for one of my European Client.

I would welcome any ideas, suggestions on what is needed to change in Master Agreement (MA) and Data Protection Agreement (DPA) to be compliant and respond w.r.t. GDPR to the buyer.

You can suggest overall areas/topics that needs update/change.

 •  IACCM  •   2017-10-06 12:15:39
IACCM conducted a Ask The Expert webinar on this topic, featuring James Mullock of Bird and Bird. His session was highly rated. The recording and James's presentation are in the IACCM Library. Plus, there are a few other resources in the IACCM Library which are relevant. If you have trouble finding these resources, please let me know.

Best Regards,

Jim Bergman
 •   2017-11-13 05:24:25
You can also have a look at the Article 29 Working Party webpage - there is a page setting out draft contract provisions that are in line with the GDPR as it is currently being interpreted. You may not want to use the clauses themselves but can use them as a measure for your own inclusions.
 •  Contract Management Plus  •   2018-03-02 22:54:16
what you need to add to the master agreement are clauses derived from Art. 28. I am also doing the same for my Master Agreements. Here is an example,
Obligations of processors (supplier) in particular include:
- To comply with the GDPR data processing principles and to protect the rights and freedoms of data subjects;
- To demonstrate compliance with the GDPR;
- To maintain records of processing activities and make them available upon request by supervisory authorities;
- To appoint data protection officers or representatives;
- To cooperate with supervisory authorities in the performance of their tasks;
- To ensure a level of security by taking appropriate technical and organisational measures;
- Specific obligations as regards transfer of data outside the EU.
In general, an auditor (DPA) should be able to trace data regarding customers. This also include emails, Excel spreadsheets with links to external systems such as financial and banking, etc.
It is not enough to have a supplier follow the GDPR. It is of most importance that your company/organisation is also GDPR compliant. To start with you need to have a DPO.
 •  Fujitsu  •   2018-03-20 22:20:03
As mentioned by Amir there are a number of elements to include, and depending on your organisation and the data you are processing you may need to identify a DPO.

Other things you should identify include:

Is the relationship with the supplier a Controller-Processor, Processor-Sub Processor or Controller-Controller.
Is special data being transferred to the supplier?
Will the supplier be exporting data outside of he EU?

You may also want to include an indemnity clause in case the supplier causes you to breach the GDPR regulation.

If you go to the Information Commissionaire's Office website in the UK (ICO.org.uk) there are some excellent guides and information which may assist you (including links to Article 29 Working Party).


 •  ABB  •   2018-05-31 17:01:22
Hi, this is not something to answer without knowing more details. Interesting to know is who is the data processor and who the data controller? What kind of data flows will there be? How sensitive is the personal data involved in this.. etc etc.. You may want to look at the liability limits...
 •  ERATRUST.PL  •   2018-10-08 12:55:19
The question is what this deal is all about. There will be a different approach to just shipping some goods vs. complicated outsourcing contract which you process personall data for. Remember that you need to remeber that even contact details stated in the agreement for e.g. contract managers are considered to be under GDPR scope. What my concern is, you very likely act as processor for your customer. The buyer's organization is the Administrator. Did they raise any particular matter.
It looks like you are outside of Europe. GDPR is not only about the DPA to stay compliant. You as a processor have certain duties to fulfill. If your company is not on Privacy Shield list (which in fact may soon become invalid just as Safe Harbour) according to some media news, it could be better to have Standard Contractual Clauses in place.
The topic is very broad and without more details it is difficult to help you.
Replies: 6
Filter by category
Operations & Capabilities
Organization & People
Strategy & Management Tools